from lib.cuckoo.common.abstracts import Signature


class OpenImg2StackOverflow(Signature):
    name = "opening_img_causes_stack_overflow"
    description = ("A stack overflow is triggered when trying to process a special graphics file through GDI functions,"
                   " resulting in the execution of arbitrary instructions.")
    severity = 3
    categories = ["reg"]
    authors = ["xuhy"]
    minimum = "2.0"

    regkeys_re = [
        (".*\\\\(SOFTWARE|Software)\\\\(Wow6432Node\\\\|WOW6432Node\\\\)?Microsoft\\\\Windows NT\\\\CurrentVersion\\\\"
         "GRE_Initialize\\\\DisableMetaFiles$"), ]

    def on_complete(self):
        for indicator in self.regkeys_re:
            for regkey in self.check_key(pattern=indicator, regex=True, all=True):
                self.mark_ioc("registry", regkey)

        return self.has_marks()
